The October 2021 edition of the study material for CA Inter Exams includes all amendments made until April 30, 2021.
Notifications, circulars, and other legislative modifications issued before October 31, 2021, will be relevant and valid for the May 2022 exam.
Here is the list of the amendments made in CA Inter Subjects during the period 1st May 2021 to 31st October 2021:
Chapter- 1 (Automated Business Processes):
Risk Management Strategies Management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.
Risk management involves:
Minimizing uncertain events affecting resources.
1.Tolerate/Accept the risk:
One of the primary functions of management is managing risk.
Some risks may be considered minor because their impact and probability of occurrence are low.
In this case, consciously accepting the risk as a cost of doing business is appropriate. The risks should be reviewed periodically to ensure that their impact remains low.
2.Terminate/Eliminate the risk:
Especially in the case of risks that have high probability and impact values, it may be best to modify any project strategy to avoid them altogether.
For example -
It is possible for a risk to be associated with the use of technology, supplier, or vendor.
The risk can be eliminated by replacing the technology with more robust products and by seeking more capable suppliers and vendors.
3. Transfer/Share the risk:
Risk mitigation approaches can be shared with trading partners and suppliers.
A good example is outsourcing infrastructure management.
In such a case, the supplier mitigates the risks associated with managing the IT infrastructure by being more capable and having access to more highly skilled staff than the primary organization.
4. Treat/mitigate the risk:
Where other options have been eliminated, suitable controls must be devised and implemented to prevent the risk from manifesting itself or to minimize its effects.
A good example of risk mitigation is planning for the eventuality in case an enterprise won’t have sufficient capacity or supplies to deal with a very high demand.
In that case, enterprise shall have a mitigation strategy in place that allows them to rapidly scale their capacity, or to subcontract some of the work to other parties to meet the high demand.
Chapter- 3 (Information Systems and Its Components):
New Paragraph inserted after Input, Process and Output
The storage of data shall be done at the most detailed level possible. Regular backups should be stored in a geographically different locations to avoid impact on both the original data storage and the backup data storage due to any major disasters such as flooding or fires etc.
Apart from these activities, information system also needs feedback that is returned to appropriate members of the enterprises to help them to evaluate at the input stage.
Classification based on “NATURE OF INFORMATION SYSTEM RESOURCES:
These are as follows:
(A) Environmental Controls:
These are the controls relating to IT environment such as power air-conditioner, Uninterrupted Power Supply (UPS), smoke detector, fire-extinguishers, dehumidifiers etc.
I. Fire: It is a major threat to the physical security of a computer installation.
Controls for Fire Exposure:
1. Smoke Detectors:
Smoke detectors should be positioned at places above and below the ceiling tiles. Upon activation, these detectors should produce an audible alarm and must be linked to a monitored station (for example, a fire station).
2. Norms to reduce Electric Firing:
To reduce the risk of electric firing, the location of the computer room should be strategically planned and should not be in the basement or ground floor of a multi-story building.
Less wood and plastic material should be used in computer rooms.
To reduce the risk of electric fire occurring and spreading, wiring should be placed in the fire-resistant panels and conduit.
This conduit generally lies under the fire-resistant raised floor in the computer room. Fireproof Walls, Floors and Ceilings surrounding the Computer Room and Fire-resistant office materials such as waste baskets, curtains, desks, and cabinets should be used.
3. Fire Extinguishers:
Manual fire extinguishers can be placed at strategic locations. Fire Alarms, Extinguishers, Sprinklers, Instructions / Fire Brigade Nos., Smoke detectors, and Carbon-dioxide-based fire extinguishers should be well placed and maintained.
4. Fire Alarms:
Both automatic and manual fire alarms may be placed at strategic locations and a control panel may be installed to clearly indicate this.
Besides the control panel, master switches may be installed for power and automatic fire suppression system.
A gas-based fire suppression system is preferable, however, depending upon the situation, different fire suppression techniques like Dry-pipe sprinkling systems, water-based systems, halon, etc., may be used.
When a fire alarm is activated, a signal may be sent automatically to permanently manned station.
5. Regular Inspection and Raising awareness:
Regular inspection by Fire Department Officials should be conducted. The procedures to be followed during an emergency should be properly documented. Fire Exits should be clearly marked, and all the staff members should know how to use the system in case of an emergency.
6. Documented and Tested Emergency Evacuation Plans :
Relocation plans should emphasize human safety but should not leave information processing facilities physically unsecured. Procedures should exist for a controlled shutdown of the computer in an emergency. In all circumstances, saving human life should be given paramount importance.
II. Electrical Exposures: NO AMENDMENT III.
Water damage to a computer installation can be the outcome of water pipes burst. Water damage may also result from other resources such as cyclones, tornadoes, floods, etc.
Controls for Water Exposure
1. Water Detectors:
These should be placed under the raised floor, near drain holes, and near any unattended equipment storage facilities.
2. Strategically locating the computer room:
To reduce the risk of flooding, the computer room should not be located in the basement of the ground floor of a multi-story building.
Some of the major ways of protecting the installation against water damage are as follows:
- Wherever possible have waterproof ceilings, walls, and floors;
- Ensure an adequate positive drainage system exists;
- Install alarms at strategic points within the installation;
- In flood-prone areas, have the installation above the upper floors but not at the top floor;
- Waterproofing; and
- Water leakage Alarms.
IV. Pollution Damage and others: NO AMENDMENT
Classification Based on Audit Functions:
A) MANAGERIAL CONTROLS
(II) Systems Development Management Controls
(a) Problem definition and Feasibility assessment:
Information Systems can be developed to help resolve problems or to take advantage of opportunities. All the stakeholders must reach to agreement on the problem and should understand the possible threats associated with possible solutions/systems related to asset safeguarding, data integrity, system effectiveness, and system efficiency.
The feasibility assessment is done to obtain a commitment to change and to evaluate whether cost- effective solutions are available to address the problem or opportunity that has been identified. All solutions must be properly and formally authorized to ensure their economic justification and feasibility.
(b) Analysis of existing system:
Designers need to analyze the existing system that involves two major tasks:
- Studying the existing organizational history, structure, and culture to gain an understanding of the social and task systems in place, the ways these systems are coupled, and the willingness of stakeholders to change.
- Studying the existing product and information flows as the proposed system will be based primarily on current product and information flows. The designers need to understand the strengths and weaknesses of an existing product to determine the new system requirements and the extent of change required.
(c) Information Processing System design:
This phase involves the following activities:
1. Elicitation of detailed requirements:
Either ask the stakeholders for their requirement in case they are aware of it or discover the requirement through analysis and experimentation in case stakeholders are uncertain about their need.
2. Design of data/information flow:
The designers shall determine the flow of data/information and transformation points, the frequency and timing of the data and information flow, and the extent to which data and information flow will be formalized. Tools such as DFD can be used for this purpose.
3. Design of Database and user interface:
The design of a database involves determining its scope and structure, whereas the design of the user interface determines the ways in which users interact with a system.
4. Physical design:
This involves breaking up the logical design into units which in turn can be decomposed further into implementation units such as programs and modules.
5. Design of the hardware/software platform:
In case the hardware and software platforms are not available in the organization, the new platforms are required to be designed to support the proposed system.
(d) Hardware/Software acquisition and procedures development:
To purchase the new application system or hardware, a request for a proposal must be prepared, vendor proposals are sought, and final decisions is made based on the evaluation.
(e) Acceptance Testing and Conversion:
Acceptance Testing is carried out to identify errors or deficiencies in the system prior to its final release into production use. The conversion phase comprises the activities undertaken to place the new system in operation.
(f) Operation and Maintenance:
In this phase, the new system is run as a production system and periodically modified to better meet its objectives. A formal process is required to identify and record the need for changes to a system and to authorize and control the implementation of needed changes.
The maintenance activities associated with these systems need to be approved and monitored carefully.
(IV) Data Resource Management Controls
(a) Definition Controls:
These controls are placed to ensure that the database always corresponds and complies with its definition standards.
(b) Existence/Backup Controls:
These controls ensure the existence of the database by establishing backup and recovery procedures. Backup refers to making copies of the data so that these additional copies may be used to restore the original data after a data loss.
Backup controls ensure the availability of the system in the event of data loss due to unauthorized access, equipment failure or physical disaster; the organization can retrieve its files and databases.
Various backup strategies like the dual recording of data; periodic dumping of data; logging input transactions and changes to the data may be used.
(c) Access Controls:
These controls are designed to prevent unauthorized individuals from viewing, retrieving, computing, or destroying the entity's data. User Access Controls are established through passwords, tokens, and biometric controls; and Data Encryption controls are established by keeping the data in the database in encrypted form.
(d) Update Controls:
These controls restrict the update of the database to authorized users in two ways either by permitting only the addition of data to the database or allowing users to change or delete existing data.
(e) Concurrency Controls:
These controls provide solutions, agreed-upon schedules, and strategies to overcome the data integrity problems that may arise when two update processes access the same data item at the same time.
(f) Quality Controls:
These controls ensure the accuracy, completeness, and consistency of data maintained in the database. This may include traditional measures such as program validation of input data and batch controls over data in transit through the organization.
(B) APPLICATION CONTROL
(I) Boundary Controls
(a) Cryptographic Controls:
These are designed to protect the privacy of data and prevent unauthorized modification of data by scrambling data. These deal with programs for transforming data into ciphertext that are meaningless to anyone, who does not possess the authentication to access the respective system resource or file.
A cryptographic technique transforms (encrypts) data (known as cleartext) into cryptograms (known as ciphertext) and its strength depends on the time and costs to decipher the ciphertext by a cryptanalyst.
Three techniques of cryptography that are used are Transposition (permute the order of characters within a set of data), Substitution (replace text with a key-text), and Product Ciphers (combination of transposition and substitution).
(b) Access Controls:
These controls restrict the use of computer system resources to authorized users, limit the actions authorized users can take with these resources and ensure that users obtain only authentic computer system resources.
The access control mechanism involves three steps:
1. User’s identification is done by the user itself by providing his/her unique user id allotted to him/her or account number.
2. Authentication mechanism is used for proving the identity with the help of a password which may involve personal characteristics like name, birth date, employee code, designation, or a combination of two or more of these.
Biometric identification including thumb or finger impression, eye retina, etc., and information stored in identification cards can also be used in an authentication process.
3. Authorization refers to the set of actions allowed to a user once authentication is done successfully.
For example – Read, Write, Print, etc. permissions are allowed to an individual user.
(c) Personal Identification Numbers (PIN):
As already discussed before, we may recall that it is a form of remembered information used to authenticate users like verification of customers in electronic fund transfer systems. The PIN is like a password assigned to a user by an institution, a random number stored in its database independent of user identification details.
Several phases of the life cycle of PINs include the steps that are
(a) Generation of the PIN;
(b) Issuance and delivery of PIN to users;
(c) Validation of the PIN upon entry at the terminal device;
(d) Transmission of the PIN across communication lines;
(e) Processing of the PIN;
(f) Storage of the PIN;
(g) Change of the PIN;
(h) Replacement of the PIN; and
(i) Termination of the PIN.
A PIN may be exposed to vulnerabilities at any stage of the life cycle of PIN and therefore, controls need to be put in place and working to reduce exposures to an acceptable level.
(d) Digital Signatures:
Establishing the authenticity of persons and preventing the denial of messages or contracts are critical requirements when data is exchanged in electronic form. A counterpart known as Digital Signature (a string of 0’s and 1’s) is used as an analog signature for such e-documents.
Digital Signatures are not constant like analog signatures – they vary across messages and cannot be forged.
(e) Plastic Cards:
We may recall that while PIN and Digital Signatures are used for authentication purposes, plastic cards are used primarily for identification purposes.
This includes the phases namely - application for a card, preparation of the card, issue of the card, use of the card, and card return or card termination.
(IV) Output Controls:
(a) Inference Controls:
These are used to prevent the compromise of statistical databases from which users can obtain only aggregate statistics rather than the values of individual data items. These are restriction controls that limit the set of responses provided to users to try to protect the confidentiality of data about persons in the database.
(b) Batch Output Production and Distribution Controls:
Batch output in the form of tables, graphs or images, etc. is produced at some operations facility and distributed to users of the output.
This includes several controls like Report program execution Controls to ensure that only authorized users are permitted to execute batch report programs and these events are logged and monitored;
Spooling file Controls so that the user(s) can continue working while a queue of documents waiting to be printed on a particular printer to ensure that the waiting files to get printed shall not be subject to unauthorized modifications;
Printing Controls to ensure that output is made on the correct printer, and unauthorized disclosure of printed information does not take place;
Report collection Controls to ensure that report is collected immediately and secured to avoid unauthorized disclosure and data leakage;
User/Client service Review Controls to ensure user should obtain higher quality output and detection of errors or irregularities in output;
Report distribution Controls ensure that the time gap between generation and distribution of reports is reduced, and a log is maintained for reports that were generated and to whom these were distributed;
User output Controls to be in place to ensure that users review output on a timely basis;
Storage Controls to ensure proper perseverance of output in an ideal environment, secured storage of output and appropriate inventory controls over the stored output and
Retention and Destruction Controls in terms of deciding the time duration for which the output shall be retained and then destroyed when not required.
(c) Batch Report Design Controls:
Batch report design features should comply with the control procedures laid down for them during the output process. The information incorporated in a well-designed batch report shall facilitate its flow though the output process and execution of controls.
(d) Online output production and Distribution Controls:
It deals with the controls to be considered at various phases like establishing the output at the source, distributing, communicating, receiving, viewing, retaining, and destructing the output.
Source controls ensure that output that can be generated or accessed online is authorized, complete and timely;
Distribution Controls to prevent unauthorized copying of online output when it was distributed to a terminal;
Communication Controls to reduce exposures from attacks during transmission;
Receipt Controls to evaluate whether the output should be accepted or rejected;
Review Controls to ensure timely action of intended recipients on the output;
Disposition Controls to educate employees the actions that can be taken on the online output they receive; and
Retention Controls to evaluate for how long the output is to be retained and Deletion Controls to delete the output once expired.
(V) Database Controls:
(a) Access Controls:
These controls in the database subsystem seek to prevent unauthorized access to and use of the data. A security policy has to be specified followed by choosing an access control mechanism that will enforce the policy chosen.
If the database is replicated, the same access control rules must be enforced by the access control mechanism at each site.
(b) Integrity Controls:
These are required to ensure that the accuracy, completeness, and uniqueness of instances used within the data or conceptual modeling are maintained. Integrity Constraints are established to specify the type of relationship and consistency among rows (tuple) in relationship.
(c) Application Software Controls:
When application software acts as an interface to interact between the user and the database, the DBMS depends on application software to pass across a correct sequence of commands and update parameters so that appropriate actions can be taken when certain types of exception condition arise.
This is achieved through Update Controls that ensure that changes to the database reflect changes to the real-world entities and associations between entities that data in the database is supposed to represent and Report Controls that identify errors or irregularities that may have occurred when the database has been updated.
(d) Concurrency Controls:
These are required to address the situation that arises either due to simultaneous access to the same database or due to deadlock.
(e) Cryptographic Controls: (Already discussed under Boundary Controls)
These controls can be well used for protecting the integrity of data stored in the database using block encryption.
(f) File Handling Controls:
These controls are used to prevent accidental destruction of data contained on a storage medium. These are exercised by hardware, software, and the operators or users who load/unload storage media.
(VI) Communication Controls
(a) Physical Component Controls:
In the communications subsystem, the physical components shall have characteristics that make them reliable and incorporate features and controls that mitigate the possible effects of exposures.
Major physical components that affect the reliability of the communication subsystem are:
Port protection devices
Multiplexers, and Concentrators, etc.
(b) Line Error Controls:
Whenever data is transmitted over a communication line, it can be received in error because of attenuation, distortion, or noise that occurs on the line. These errors must be detected and corrected.
(c) Flow Controls:
Flow controls are needed because two nodes in a network can differ in terms of the rate at which they can be sent, receive, and process data.
For example- data transmission between mainframe and microcomputers may become erroneous because of differences in their speed and storage capacity. Flow controls will be used therefore to prevent the mainframe from flooding the microcomputer and as a result, data is lost.
(d) Link Controls:
In Wide Area Network (WAN), line error control and flow control are important functions in the component that manages the link between two nodes in a network. The way these link-management components operate is specified via a protocol.
(e) Topological Controls:
A communication network topology specifies the location of nodes within a network, the ways in which these nodes will be linked, and the data transmission capabilities of the links between the nodes.
The network must be available for use at any one time by a given number of users that may require alternative hardware, software, or routing of messages.
(f) Channel Access Controls:
Two different nodes in a network can compete to use a communication channel simultaneously, leading to the possibility of contention for the channel existing. Therefore, some type of channel access control techniques like polling method (defining an order in which a node can gain access to a channel capacity) or contention method (nodes in the network must compete with each other to gain access to a channel) must be used.
(g) Controls over Subversive threats:
Firstly, the physical barriers are needed to be established to the data traversing into the subsystem.
Secondly, in case the intruder has somehow gained access to the data, the data needs to be rendered useless when access occurs.
(h) Internetworking Controls:
Different internetworking devices like bridge, routers, gateways are used to establish connectivity between homogeneous or heterogeneous networks.
Therefore, several control functions in terms of access control mechanisms, security, and reliability of the networks are required to be established.
Managerial Controls and their Audit Trials:
(IV) Auditing Data Resource Management Controls:
- Auditors should determine what controls are exercised to maintain data integrity.
- They might also interview database users to determine their level of awareness of these controls.
- Auditors might employ test data to evaluate whether access controls and update controls are working.
- Auditors might interview the Data Administrator (DA) and Database Administrator (DBA) to determine the procedures used by them to monitor the database environment.
- Auditors need to assess how well the DA and DBA carry out the functions of database definition, creation, redefinition, and retirement.
(V) Auditing Security Management Controls:
- Auditors must evaluate whether security administrators are conducting ongoing, high-quality security reviews or not;
- Auditors need to evaluate the performance of BCP controls. The BCP controls are related to having an operational and tested IT continuity plan, which is in line with the overall business continuity plan and its related business requirements to make sure IT services are available as required and to ensure a minimum impact on business in the event of a major disruption.
- Auditors check whether the organizations audited have appropriate, high-quality disaster recovery plan in place or not; and
- Auditors check whether the organizations have opted for an appropriate insurance plan or not.
Auditing the Application Control Framework
(I) Auditing Boundary Controls :
Auditors need to determine how well the safeguard assets are used and preserve data integrity.
- For any application system in particular, auditors need to determine whether the access control mechanism implemented in that system is sufficient or not.
- Auditors need to ensure that careful control must be exercised over maintenance activities, in case of hardware failure.
- Auditors need to address three aspects to assess cryptographic key management
- How keys will be generated?
- How they will be distributed to users?
- How they will be installed in cryptographic facilities?
- Auditors need to understand which approach has been used to implement access control so that they can predict the likely problems they will encounter in the application systems they are evaluating.
(II) Auditing Input Controls:
- Auditors must understand the fundamentals of good source document design so as to analyze what and how the data will be captured and by whom, how the data will be prepared and entered into the computer systems and how the document will be handled, stored and filed.
- Auditors must be able to examine the data-entry screens used in an application system and to come to judgement on the frequency with which input errors are likely to be made and the extent to which the screen design enhances or undermines effectiveness and efficiency.
- Auditors must evaluate the quality of the coding systems used in application system to determine their likely impact in the data integrity, effectiveness, and efficiency objectives.
- Auditors need to comprehend various approaches used to enter data into an application system and their relative strengths and weaknesses.
- Auditors need to check whether input files are stored securely and backup copies of it are maintained at an offsite location so that recovery remains unaffected in case the system’s master files are destroyed or corrupted.
(III) Auditing Communication Controls:
- Auditors shall adopt a structured approach to examine and evaluate various controls in the communication subsystem.
- Auditors need to collect enough evidence to establish a level of assurance that data transmission between two nodes in a wide area network is being accurate and complete.
- Auditors need to look at whether adequate network backup and recovery controls are practiced regularly or not. These controls may include automatic line speed adjustments by modems based on different noise- levels, choice of network topology, alternative routes between sender and receiver, etc., to strengthen network reliability.
- Auditors must assess the implementation of encryption controls to ensure the protection of the privacy of sensitive data.
- Auditors must assess the topological controls to review the logical arrangement of various nodes and their connectivity using various internetworking devices in a network.
(IV) Auditing Processing Controls:
- Auditors should determine whether user processes are able to control unauthorized activities like gaining access to sensitive data.
- Auditors should evaluate whether the common programming errors that can result in incomplete or inaccurate processing of data have been taken care of or not.
- Auditors should assess the performance of validation controls to check for any data processing errors.
- Auditors need to check for the checkpoint and restart controls that enable the system to recover itself from the point of failure. The restart facilities need to be implemented well so that restart of the program is from the point the processing has been accurate and complete rather than from the scratch.
(V) Auditing Database Controls:
- Auditors should check for the mechanism if a damaged or destroyed database can be restored in an authentic, accurate, complete, and timely way.
- Auditors should comprehend backup and recovery strategies for restoration of the damaged or destroyed database in the event of a failure that could be because of an application program error, system software error, hardware failure, procedural error, and environmental failure.
- Auditors shall evaluate whether the privacy of data is protected during all backup and recovery activities.
- Auditors should check for proper documentation and implementation of the decisions made on the maintenance of the private and public keys used under cryptographic controls.
- Auditors should address their concerns regarding the maintenance of data integrity and the ways in which files must be processed to prevent integrity violations.
(VI) Auditing Output Controls:
- Auditors should determine what report programs are sensitive, who all are authorized to access them, and that only the authorized persons are able to execute them.
- Auditors should review whether the action privileges that are assigned to authorized users are appropriate to their job requirements or not.
- Auditors must evaluate how well the client organizations are provided controls in terms of an alteration of the content of printer files, number of printed copies, etc.
- Auditors should determine whether the report collection, distribution, and printing controls are well executed in an organization or not.
For more Chapter-4 (E-Commerce, M-Commerce and Emerging Technologies) amendments visit here to download full pdf notes: Click Here To Download
For more detail about amendments visit here: ca Inter amendments by ICAI
Stay tuned for more amendments in ICAI CA Inter Exams 2022 will be shared in the next few days. Keep following us for the latest amendment updates.